Cyber Threats Targeting Mergers and Acquisitions

Recommendations

Info

10 Risk Considerations for Mergers and Acquisitions 1. Infrastructure • Provide logical and physical diagrams of the networks and locations • List all network hardware in place • List of routers including locations, manufacturer, model and rules • List of access control policies, mechanisms and network segmentation • List of domain names used with any hardware of software (e.g. email domains and aliased domains) • List of tag holders, domain name servers and expiry dates for the above domain names • List of databases, including locations, versions and accesses • List of Cloud and Software as a Service providers: • List of what services are used, content hosted and geographic locations • List of agreements and contracts including dates and details of all parties • List of any other services, applications, protocols, ports and other software installed on the network and hardware not included above • Cloud based file storage • OS providers, versions and licenses • Schedule and project plan of all ongoing or planned infrastructure updates or upgrades, including location, models and versions. • Expected timeline of completion 2. Operations Security, Testing, and Mitigations • List all network security systems including location, manufacturer, model and rules • Firewalls • Intrusion detection and prevention systems, including network and host based detectors • List and description of certificates (e.g. SSL and PKI) used, including integrity report (Qualys) •List all email security and protection services (such as anti-malware, anti-spam, anti-phishing) including licenses, manufacturer, models, rules, incident reports and activity logs • List of logging systems and storage locations • List and description of access control, authentication and session management mechanisms • List of remote access methods, protocols and use policies • List all patch management solutions including patching policy, schedule for the last 6 months and any exceptions • List of any relevant data loss prevention or endpoint protection capabilities, and associated policies, activity logs and updates • Schedule of vulnerability assessments, penetration tests, code reviews and audits • Dates and scope • Results and exceptions • Risk mitigation undertaken • Schedule and documentation of actual known information security breaches, exposures and other incidents for the last 3 years – identify countermeasures adopted • Copy of incident management procedure and details of any automated remediation capabilities 3. Training and Awareness • Description of security awareness training provided and • Description of methods employees use to report security issues evidence of delivery over the last 2 years such as IP protection, including phishing phishing, data loss prevention, etc. • Assessment of corporate digital practices and regulatory • Proof of staff training on the protection of corporate intellectual property related to corporate IT/cyber policies • Proof of reputational protection programs compliance management mechanisms 4. Agreements, Policies and Procedures • List of licensed or open source software, their authors (including if the author/creator was an employee, consultant or independent contractor at the time of development) • Monitor agreements and support contracts •Disaster recovery agreements • List of internal and external security policies • Software licenses, assignments, contracts, beta testing agreements, warranties and guarantees • Support and/or maintenance contracts • Product documentation and manuals • Third-party software • Other intellectual property 5. Intellectual Property • List of U.S. and foreign trade names, brand names, service marks, trademarks, logos, strap lines and slogans •List of U.S. and foreign patents, patent rights, designs and innovations (wholly or jointly owned) – provide copies if applicable • List of any and all intellectual property copyrights or trademarks – provide information if applicable • Copies of terms of use, privacy statement, trademark usage guidelines, and any other policies such as content, abuse, acceptable use, security and privacy • Full details of people responsible for maintenance and protection of intellectual property rights and copies of correspondence from third parties regarding potential infringement of intellectual property rights of others 12
6. Standards and Compliance • List any mandatory or optional compliance standards, codes of practice or accreditations • Evidence of compliance with all above items in this section • Copies of governmental licenses or permits to operate in business sector, if applicable (e.g. Financial Services Authority) 7. Risk, Insurance and Continuity • List and provide copies of all company insurance policies covering property, liabilities and operations • List of any special conditions imposed by insurers • List of indemnification policies, business interruption, cyber insurance or product liability policies • List of any insurance claims for past 3 years • Copy of the business continuity plan and schedule of tests undertaken • Copy of data backup and verification policies, procedures and storage providers and/or locations 8. Staff and Resources • List of key employees, contractors and vendors who work on development, testing, operations or security and an organization chart showing line management and functional relationships • Number of employees and other staff (temporary, voluntary, support, etc.) by department and by functional area associated with developing, operating and securing the network, services, or applications including an indication of the percentage of their work that this involves • Contracts including information on confidentiality or non-competition agreements to which employees are subject • List of specific agreements with employees, independent contractors – provide copies if applicable • Copies of consulting and confidentiality agreements and for any current or former consultants • List any “Arm’s length” back office support (HR, accounting, IT, etc.) services, or shared IT infrastructure capabilities • List of user groups, roles, geographical locations and permissions • List of anyone with remote access 9. Third Party • List of other companies, partnerships, individuals or other entities who are stakeholders or contributors or suppliers • List of agreements with other companies for provision of or consumption of products and services – provide copies of the agreements if applicable • List of confidentiality and non-disclosure agreements to which the company is bound or imposes on others – provide copies if applicable • List of data and formats provided to third parties including details of those third parties and the agreements • List of data sharing, marketing agreements, co-packaging, franchises and referral agreements • Lists of any resellers and distributors – if applicable provide copies of the written agreements • List of agreements or arrangements with company employees and shareholders or with any organization they have a relationship with – provide copies if applicable 10. Customers • List all customer communication methods • List of all social media accounts, business need, use policies and authorized users/publishers • List of any claims, complaints, litigation arising out of social media use (including cyber harassment); online brand and reputation assessment • List and explanation for any major customers lost over the last 2 years • List of areas where customer supplied content is republished or recorded 13
Page 1 and 2: Cyber Threats Targeting Mergers and
Page 3 and 4: Executive Summary Global merger and
Page 5 and 6: 2. Associated threat actors While c
Page 7 and 8: 3. Steps of the Merger/Acquisition
Page 9 and 10: Marketing Marketing plays an import
Page 11: Conclusion There is demonstrable ev

Cyber Threats Targeting Mergers and Acquisitions

Create successful ePaper yourself

Delete template?

Save as template?